Loading ...

Play interactive tourEdit tour

Analysis Report solicitud.exe

Overview

General Information

Sample Name:solicitud.exe
MD5:ba3ba4527e4b52abcc5e018074a01a51
SHA1:a30dd2ac9a88eba78533276ebf8d8ce40240edac
SHA256:43cf3baa295ce32a1c92deb30c0c203aac15f1795cac0f7d67b69ab497f83c51

Most interesting Screenshot:

Detection

404Keylogger AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected 404Keylogger
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Maps a DLL or memory area into another process
May check the online IP address of the machine
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Malware Configuration

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "informes1@maccinox.com", "ByHost: ": "mail.maccinox.com:587", "Password: ": "", "From: ": "informes1@maccinox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.550037201.0000000002743000.00000040.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
    00000002.00000002.966098911.0000000000402000.00000040.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
      00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
        00000000.00000002.549977579.0000000002722000.00000040.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
          00000002.00000002.966658470.0000000000570000.00000004.00000001.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x192bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1866e:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x18ae4:$a4: \Orbitum\User Data\Default\Login Data
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.solicitud.exe.570000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x174bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1686e:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x16ce4:$a4: \Orbitum\User Data\Default\Login Data
          2.2.solicitud.exe.570000.1.unpackJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
            2.2.solicitud.exe.8e0000.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x192bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1866e:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x18ae4:$a4: \Orbitum\User Data\Default\Login Data
            2.2.solicitud.exe.8e0000.4.unpackJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
              2.2.solicitud.exe.570000.1.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x192bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1866e:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x18ae4:$a4: \Orbitum\User Data\Default\Login Data
              Click to see the 4 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: solicitud.exe.2456.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "informes1@maccinox.com", "ByHost: ": "mail.maccinox.com:587", "Password: ": "", "From: ": "informes1@maccinox.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: solicitud.exeVirustotal: Detection: 33%Perma Link
              Source: 2.2.solicitud.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
              Source: 2.2.solicitud.exe.8e0000.4.unpackAvira: Label: TR/Spy.Gen8

              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00408360 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408360
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00408460 FindFirstFileA,GetLastError,0_2_00408460
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00405138 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405138

              Source: C:\Users\user\Desktop\solicitud.exeCode function: 4x nop then lea edx, dword ptr [ebp-04h]0_2_00464318
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 4x nop then push 00000000h0_2_00464318
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 4x nop then cmp word ptr [ebp-2Ch], 07E0h0_2_0045C8B8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 4x nop then lea eax, dword ptr [ebp-1Ch]0_2_0045C8B8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 4x nop then mov eax, 00000000h0_2_0045C8B8

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
              Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: solicitud.exeString found in binary or memory: http://checkip.dyndns.org/
              Source: solicitud.exe, 00000000.00000002.550037201.0000000002743000.00000040.00000001.sdmp, solicitud.exe, 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://mail.maccinox.com
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: solicitud.exe, 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: solicitud.exe, solicitud.exe, 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: solicitud.exeString found in binary or memory: https://myip.dnsomatic.com
              Source: solicitud.exe, 00000000.00000002.550037201.0000000002743000.00000040.00000001.sdmp, solicitud.exe, 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpString found in binary or memory: https://myip.dnsomatic.com9====
              Source: solicitud.exe, solicitud.exe, 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/api/api_login.php
              Source: solicitud.exe, 00000000.00000002.550037201.0000000002743000.00000040.00000001.sdmp, solicitud.exe, 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/api/api_login.phpJhttps://pastebin.com/api/api_post.php
              Source: solicitud.exe, solicitud.exe, 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/api/api_post.php

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected 404KeyloggerShow sources
              Source: Yara matchFile source: 00000000.00000002.550037201.0000000002743000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.966098911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.967280878.00000000008B2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.549977579.0000000002722000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.966658470.0000000000570000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.967380955.00000000008E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.966193509.0000000000423000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.970369590.0000000002850000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: solicitud.exe PID: 2456, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: solicitud.exe PID: 2092, type: MEMORY
              Source: Yara matchFile source: 2.2.solicitud.exe.570000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.solicitud.exe.8e0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.solicitud.exe.570000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.solicitud.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.solicitud.exe.8b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.solicitud.exe.2720000.3.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00438100 GetKeyboardState,0_2_00438100

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000002.00000002.966658470.0000000000570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.solicitud.exe.570000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.solicitud.exe.8e0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.solicitud.exe.570000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00462E37 NtQueryInformationProcess,NtQueryInformationProcess,0_2_00462E37
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0045EFEF NtCreateSection,0_2_0045EFEF
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0045F162 VirtualAlloc,CreateProcessW,NtUnmapViewOfSection,0_2_0045F162
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00455E54 NtdllDefWindowProc_A,0_2_00455E54
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004565FC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004565FC
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004566AC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004566AC
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004267C4 NtdllDefWindowProc_A,0_2_004267C4
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0043B07C NtdllDefWindowProc_A,GetCapture,0_2_0043B07C
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0044B004 GetSubMenu,SaveDC,RestoreDC,734BB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044B004
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_0042A159 NtCreateSection,2_2_0042A159
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0045034C0_2_0045034C
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0044B0040_2_0044B004
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_004239762_2_00423976
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_0042913D2_2_0042913D
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022DD2782_2_022DD278
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022DA3C82_2_022DA3C8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D61A02_2_022D61A0
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022DC4B02_2_022DC4B0
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D6A702_2_022D6A70
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D9EB92_2_022D9EB9
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D32302_2_022D3230
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D82082_2_022D8208
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D81F92_2_022D81F9
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_022D5E582_2_022D5E58
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E525782_2_05E52578
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E584802_2_05E58480
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E554802_2_05E55480
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E566802_2_05E56680
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E536802_2_05E53680
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E596802_2_05E59680
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E560802_2_05E56080
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E530802_2_05E53080
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E590802_2_05E59080
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E500402_2_05E50040
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5B2E82_2_05E5B2E8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E572802_2_05E57280
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E542802_2_05E54280
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5A2802_2_05E5A280
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E56C802_2_05E56C80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E53C802_2_05E53C80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E59C802_2_05E59C80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E57E802_2_05E57E80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E54E802_2_05E54E80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E578802_2_05E57880
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E548802_2_05E54880
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5A8802_2_05E5A880
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E51BC82_2_05E51BC8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E55A802_2_05E55A80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E58A802_2_05E58A80
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E525682_2_05E52568
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5546F2_2_05E5546F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5846F2_2_05E5846F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E596712_2_05E59671
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E536732_2_05E53673
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E566732_2_05E56673
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E590712_2_05E59071
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E530702_2_05E53070
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E560732_2_05E56073
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5B2D72_2_05E5B2D7
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5A2712_2_05E5A271
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E542712_2_05E54271
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E572732_2_05E57273
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E53C702_2_05E53C70
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E56C702_2_05E56C70
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E59C702_2_05E59C70
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E54E702_2_05E54E70
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E57E702_2_05E57E70
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E548732_2_05E54873
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E578732_2_05E57873
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E5A8732_2_05E5A873
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E55A6F2_2_05E55A6F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_05E58A6F2_2_05E58A6F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_061DE3C02_2_061DE3C0
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_061D7E682_2_061D7E68
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 2_2_061D5C482_2_061D5C48
              Source: C:\Users\user\Desktop\solicitud.exeCode function: String function: 00406128 appears 61 times
              Source: C:\Users\user\Desktop\solicitud.exeCode function: String function: 00404090 appears 68 times
              Source: solicitud.exeStatic PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
              Source: solicitud.exeStatic PE information: Resource name: RT_CURSOR type: Arhangel archive data
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: solicitud.exe, 00000000.00000002.549461773.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs solicitud.exe
              Source: solicitud.exe, 00000000.00000002.550037201.0000000002743000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamederabliss.exe4 vs solicitud.exe
              Source: solicitud.exeBinary or memory string: OriginalFilename vs solicitud.exe
              Source: solicitud.exe, 00000002.00000002.966158114.000000000041E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamederabliss.exe4 vs solicitud.exe
              Source: solicitud.exe, 00000002.00000002.967231389.00000000007F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs solicitud.exe
              Source: solicitud.exe, 00000002.00000002.966019706.0000000000197000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs solicitud.exe
              Source: solicitud.exe, 00000002.00000002.970996826.0000000004FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs solicitud.exe
              Source: C:\Users\user\Desktop\solicitud.exeSection loaded: mscorwks.dllJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeSection loaded: mscorsec.dllJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeSection loaded: mscorjit.dllJump to behavior
              Source: 00000002.00000002.966658470.0000000000570000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.solicitud.exe.570000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.solicitud.exe.8e0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.solicitud.exe.570000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/2
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0041DC58 GetLastError,FormatMessageA,0_2_0041DC58
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004086F2 GetDiskFreeSpaceA,0_2_004086F2
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0046201F CreateToolhelp32Snapshot,Process32FirstW,VirtualAlloc,Process32NextW,0_2_0046201F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00416298 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00416298
              Source: C:\Users\user\Desktop\solicitud.exeFile created: C:\Users\user\Documents\Results.txtJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: solicitud.exeVirustotal: Detection: 33%
              Source: solicitud.exeString found in binary or memory: F-Stopw
              Source: unknownProcess created: C:\Users\user\Desktop\solicitud.exe 'C:\Users\user\Desktop\solicitud.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\solicitud.exe 'C:\Users\user\Desktop\solicitud.exe'
              Source: C:\Users\user\Desktop\solicitud.exeProcess created: C:\Users\user\Desktop\solicitud.exe 'C:\Users\user\Desktop\solicitud.exe' Jump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\solicitud.exeUnpacked PE file: 2.2.solicitud.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\solicitud.exeUnpacked PE file: 2.2.solicitud.exe.400000.0.unpack
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00442024 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00442024
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00442670 push 004426FDh; ret 0_2_004426F5
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004580E4 push 0045813Eh; ret 0_2_00458136
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004160A0 push ecx; mov dword ptr [esp], edx0_2_004160A2
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004222C0 push 00422390h; ret 0_2_00422388
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004642E8 push 00464314h; ret 0_2_0046430C
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004242F0 push 0042431Ch; ret 0_2_00424314
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004242A8 push 004242E6h; ret 0_2_004242DE
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00424328 push 00424360h; ret 0_2_00424358
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004643D8 push 004643FEh; ret 0_2_004643F6
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004224A0 push 004224CCh; ret 0_2_004224C4
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A544 push 0042A577h; ret 0_2_0042A56F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A5F4 push 0042A637h; ret 0_2_0042A62F
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042658C push 004265E5h; ret 0_2_004265DD
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A5A4 push 0042A5D0h; ret 0_2_0042A5C8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00430640 push 0043066Ch; ret 0_2_00430664
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042464C push 00424678h; ret 0_2_00424670
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0045C658 push 0045C684h; ret 0_2_0045C67C
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A65C push 0042A69Fh; ret 0_2_0042A697
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00442608 push 0044266Eh; ret 0_2_00442666
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A6C0 push 0042A70Ch; ret 0_2_0042A704
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A770 push 0042A79Ch; ret 0_2_0042A794
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A718 push 0042A763h; ret 0_2_0042A75B
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004107C0 push 00410836h; ret 0_2_0041082E
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004247F8 push 00424824h; ret 0_2_0042481C
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004307A8 push 004307D4h; ret 0_2_004307CC
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004107BE push 00410836h; ret 0_2_0041082E
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00410838 push 004108E0h; ret 0_2_004108D8
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0041A8C6 push 0041A973h; ret 0_2_0041A96B
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0041A8C8 push 0041A973h; ret 0_2_0041A96B
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0042A8A8 push 0042A91Eh; ret 0_2_0042A916
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0041A978 push 0041AA08h; ret 0_2_0041AA00

              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00455EDC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00455EDC
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004565FC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004565FC
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_004566AC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004566AC
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0043C7A0 IsIconic,GetCapture,0_2_0043C7A0
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00422D38 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00422D38
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00452F04 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00452F04
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0043D054 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043D054
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0043D978 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043D978
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_00442024 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00442024
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Contains functionality to detect sleep reduction / modificationsShow sources
              Source: C:\Users\user\Desktop\solicitud.exeCode function: 0_2_0043132C0_2_0043132C
              Source: C:\Users\user\Desktop\solicitud.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0045544C
              Source: C:\Users\user\Desktop\solicitud.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\solicitud.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-32412
              Source: C:\Users\user\Desktop\solicitud.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-37895
              Source: C:\Users\user\Desktop\solicitud.exeAPI coverage: 5.7 %
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -100000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99422s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99203s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -99094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98281s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -98078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97938s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -97000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -96000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -95000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94734s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94531s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -94094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93844s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93734s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -93047s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92953s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92844s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92578s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92484s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -92141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -91000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -90047s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -89000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87531s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -87000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -86141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -85094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84844s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84281s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -84047s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83938s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83844s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83719s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83578s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -83047s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -82000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -81094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -80984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -80891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -80797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -80641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -80547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\solicitud.exe TID: 2936Thread sleep time: -80438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\